Aspects of the present invention relate to data transmission. Other aspects of the present invention relate to authenticated data transmission.
In the age of electronic transactions, a party to a transaction often must reveal confidential or sensitive information to another party to the transaction. For instance, a user may have to furnish a service provider with information that proves that the user is qualified to receive the service or has the resources to pay for the service. The service provider may be termed a relying party; the service provider relies on the furnished information to justify doing business with the user. For example, a provider of services to physicians may need to verify that a user has a valid medical license in some state, to acquire the user's Drug Enforcement Administration (DEA) license number, or to verify that no sanctions have been imposed on the DEA license. Typically, a user may not want such information to become public.
A digital certificate is an electronic “identity card” that establishes a user's credentials when the user participates in a transaction on the World Wide Web (WWW). Such a digital certificate may be issued by a certification authority (CA), complying with known standards, such as the X.509 PUBLIC KEY INFRASTRUCTURE (PKI) FOR THE INTERNET, see, e.g., RFC 2459.A digital certificate may be stored in a publicly accessible registry. The user's digital certificate has a public key of the user in the certificate, and the user keeps the corresponding private key secret. When needed, a relying party, for authentication purposes, can access the credential information contained in the user's certificate.
FIG. 1 (prior art) illustrates an exemplary architecture for digital certificate based authentication. A user 110 provides credential information 115 to a certification authority 120 that subsequently generates a digital certificate 125 for the user 110. The digital certificate 125 may be registered in a public registry 130. When the user 110 signs a service request with his private key and sends the service request 135 to a relying party 140, the relying party 140 accesses the public registry 130 to obtain the digital certificate 125 corresponding to the user 110. Based on the credential information contained in the digital certificate 125 and the validity of the signature provided by the user 110, the relying party 140 generates a service response 145 and sends it to the user 110. According to the credential information contained in the digital certificate 125, the relying party 140 may either grant or deny the service request 135.
In FIG. 1, because the digital certificate is publicly accessible, the user's credential information becomes public as well. For users who wish to shield certain information from the public, certificate 100 is not a safe means to convey such information. In addition, the relying party 140 cannot be certain that the information contained in the digital certificate 125 is up to date or even valid. For instance, some of the information contained in a digital certificate may change over time. Yet, all information in the digital certificate 125 is static. In order to modify even one item of information therein, the certification authority 120 must revoke the digital certificate 125 and issue an entirely new certificate.
A different scenario relates to delegated credential in a delegation relationship. When a party (e.g., delegator) delegates certain authority to another party (e.g. delegate), the delegate may use the delegated authority to request authorized services. For example, a physician may delegate an office administrator to obtain information, from a relying party, about the usage of certain drugs. To obtain the desired information from the relying party, the administrator may need to, first, show that he or she has the delegated authority to make the inquiry and, second, provide the relying party with necessary credential information of the physician. At the same time, the delegator may require the flexibility to change the terms of a delegation when such need arises.